Published: 2025-08-01
Implementation of Zero-Knowledge Encryption in a Web-Based Password Manager
DOI: 10.35870/ijsecs.v5i2.4207
R. Krisviarno Darmawan, Ariya Dwika Cahyono
-
R. Krisviarno Darmawan:
Satya Wacana Christian University
-
Ariya Dwika Cahyono:
Satya Wacana Christian University
Abstract
-The secure management of account credentials presents a considerable challenge in the digital era, as many users continue to engage in unsafe practices such as password reuse. Conventional password managers typically store encrypted data on servers, which introduces risks if those servers are compromised. This study develops a web-based password manager that implements Zero-Knowledge Encryption (ZKE), ensuring that all essential cryptographic operations are executed exclusively on the client side (browser). Employing a client-server architecture (React frontend, Python/FastAPI backend), the system derives encryption keys from the user’s master password using Argon2id (4 iterations, 64 MB memory, 1 parallelism), and performs credential data encryption and decryption with AES-GCM entirely on the client side. The server is limited to receiving and storing encrypted data (verifier, salt, data blobs), without ever accessing the master password or plaintext credentials. Network payload analysis conducted with Chrome DevTools confirms that the ZKE implementation effectively prevents the exposure of sensitive data to the server. This approach substantially improves data privacy and security against server-side threats. Nevertheless, the ZKE model lacks an account recovery feature, placing full responsibility on users to protect their master passwords—a trade-off that underscores the need for further investigation into ZKE-compatible recovery mechanisms.
Keywords
Password Manager; Zero-Knowledge Encryption; Client-Side Encryption; Web Security; Argon2id; AES-GCM; Python; FastAPI
Article Information
This article has been peer-reviewed and published in the International Journal Software Engineering and Computer Science (IJSECS). The content is available under the terms of the Creative Commons Attribution 4.0 International License.
-
Issue: Vol. 5 No. 2 (2025)
-
Section: Articles
-
Published: 2025-08-01
-
License: CC BY 4.0
-
Copyright: © 2025 Authors
-
DOI: 10.35870/ijsecs.v5i2.4207
AI Research Hub
This article is indexed and available through various AI-powered research tools and citation platforms. Our AI Research Hub ensures that scholarly work is discoverable, accessible, and easily integrated into the global research ecosystem.
R. Krisviarno Darmawan, Satya Wacana Christian University
Informatics Engineering Study Program, Faculty of Information Technology, Universitas Kristen Satya Wacana, Salatiga City, Central Java Province, Indonesia
Ariya Dwika Cahyono, Satya Wacana Christian University
Informatics Engineering Study Program, Faculty of Information Technology, Universitas Kristen Satya Wacana, Salatiga City, Central Java Province, Indonesia
-
Sudiarto, W., Dhian, I., Ratri, E. K., & Susilo, H. (2017, April). Implementasi two factor authentication dan protokol zero knowledge proof pada sistem login. JUTISI, 3(1), 127–136. https://doi.org/10.28932/jutisi.v3i1.579
-
Alkaldi, N. A. (2019). Adopting password manager applications among smartphone users (PhD thesis, University of Glasgow). https://doi.org/10.5525/gla.thesis.74359
-
Alodhyani, F., Theodorakopoulos, G., & Reinecke, P. (2020, November). Password managers—it’s all about trust and transparency. Future Internet, 12(11), 1–50. https://doi.org/10.3390/fi12110189
-
Oladipupo, R. O., & Olajide, A. O. (2019). An enhanced web security for cloud-based password management. [Online]. Available: www.aujst.com
-
Aditama, W. Y., Hikmah, I. R., & Priambodo, D. F. (2023, August). Analisis komparatif keamanan aplikasi pengelola kata sandi berbayar Lastpass, 1Password, dan Keeper berdasarkan ISO/IEC 25010. Jurnal Teknologi Informasi dan Ilmu Komputer, 10(4), 857–864. https://doi.org/10.25126/jtiik.2023106544
-
Oesch, S., & Ruoti, S. (2020, August). That was then, this is now: A security evaluation of password generation, storage, and autofill in browser-based password managers. In Proceedings of the 29th USENIX Conference on Security Symposium (pp. 2165-2182).
-
Pargaonkar, S. (2023, August). A comprehensive research analysis of software development life cycle (SDLC) agile & waterfall model advantages, disadvantages, and application suitability in software quality engineering. International Journal of Scientific and Research Publications, 13(8), 120–124. https://doi.org/10.29322/ijsrp.13.08.2023.p14015
-
Chatzoglou, E., Kampourakis, V., Tsiatsikas, Z., Karopoulos, G., & Kambourakis, G. (2024, June). Keep your memory dump shut: Unveiling data leaks in password managers. In IFIP International Conference on ICT Systems Security and Privacy Protection (pp. 61-75). Cham: Springer Nature Switzerland. https://doi.org/10.48550/arXiv.2404.00423
-
Khande, R., Ramaswami, S., Naidu, C., & Patel, N. (2021). An effective mechanism for securing and managing password using AES-256 encryption & PBKDF2. Technology (IJEET), 12(5), 1-7. https://doi.org/10.34218/ijeet.12.5.2021.001
-
Garcia, S. P. L., Abraham, A. S., Kepic, K., & Cankaya, E. C. (2023). A Comparative Analysis of Web Application Vulnerability Tools. Journal of Information Systems Applied Research, 16(2). [Online]. Available: https://conisar.org
-
Laipaka, R. (2022). Penerapan JWT untuk Authentication dan Authorization pada Laravel 9 menggunakan Thunder Client. In Seminar Nasional Corisindo.
-
Chuah, C. W., Harun, N. Z., & Hamid, I. R. A. (2024). Key derivation function: key-hash based computational extractor and stream based pseudorandom expander. PeerJ Computer Science, 10, e2249. https://doi.org/10.7717/peerj-cs.2249
-
Susanti, A., Prasetiya, B. A., Pangesti, O. D., Suryawati, L. D., & Saputro, I. A. (2024, December). Perbandingan kinerja dan keamanan algoritma kriptografi modern AES-GCM dengan CHACHA20-POLY1305. Infomatek, 26(2), 253–264. https://doi.org/10.23969/infomatek.v26i2.19255
-
R. S. (2020, October). Navigating client-side storage in modern web applications: Mechanisms, best practices, and future directions. International Journal For Multidisciplinary Research, 2(5). https://doi.org/10.36948/ijfmr.2020.v02i05.12096
-
Tippe, P., & Berner, M. P. (2025, August). Evaluating Argon2 Adoption and Effectiveness in Real-World Software. In International Conference on Availability, Reliability and Security (pp. 25-46). Cham: Springer Nature Switzerland. https://doi.org/10.48550/arXiv.2504.17121
-
Fedorchenko, V., Yeroshenko, O., Shmatko, O., Kolomiitsev, O., & Omarov, M. (2024, November). Password hashing methods and algorithms on the .NET platform. Advanced Information Systems, 8(4), 82–92. https://doi.org/10.20998/2522-9052.2024.4.11
-
Belay, T. E., Gupta, S., & Burisa, E. (2025, April). Perform scanning and comparison of open source web application testing tools: Using strategic holistic approach. Journal of Posthumanism, 5(2), 1377–1402. https://doi.org/10.63332/joph.v5i2.512
-
Maniraj, S. P., Ranganathan, C. S., & Sekar, S. (2024). Securing web applications with owasp zap for comprehensive security testing. International Journal of Advances in Signal and Image Sciences, 10(2), 12-23. https://doi.org/10.29284/ijasis.10.2.2024.12-23
-
Putri, M., Ginting, A., & Lubis, A. S. (2024). Pengujian aplikasi berbasis web data Ska menggunakan metode black box testing. Februari, 2(1), 41–48. https://doi.org/10.55537/cosmic.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
1. Copyright Retention and Open Access License
Authors retain copyright of their work and grant the journal non-exclusive right of first publication under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
This license allows unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
2. Rights Granted Under CC BY 4.0
Under this license, readers are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, including commercial use
- No additional restrictions — the licensor cannot revoke these freedoms as long as license terms are followed
3. Attribution Requirements
All uses must include:
- Proper citation of the original work
- Link to the Creative Commons license
- Indication if changes were made to the original work
- No suggestion that the licensor endorses the user or their use
4. Additional Distribution Rights
Authors may:
- Deposit the published version in institutional repositories
- Share through academic social networks
- Include in books, monographs, or other publications
- Post on personal or institutional websites
Requirement: All additional distributions must maintain the CC BY 4.0 license and proper attribution.
5. Self-Archiving and Pre-Print Sharing
Authors are encouraged to:
- Share pre-prints and post-prints online
- Deposit in subject-specific repositories (e.g., arXiv, bioRxiv)
- Engage in scholarly communication throughout the publication process
6. Open Access Commitment
This journal provides immediate open access to all content, supporting the global exchange of knowledge without financial, legal, or technical barriers.